EBA Warns of Money Laundering &Terrorist Financing Risks from Careless Use of Compliance Technology

The European Banking Authority (EBA) has issued a stark warning that the rapid and sometimes uncritical adoption of innovative compliance tools such as RegTech and FinTech products is creating new avenues for money laundering (ML) and terrorist financing (TF) across the EU financial sector.

In its latest biennial Opinion on Money Laundering and Terrorist Financing Risks, the EBA notes that while technological innovation can enhance detection and streamline compliance, poor implementation and governance are undermining its effectiveness. More than half of all material weaknesses reported to the EBA’s EuReCA database in 2023–2024 were linked to the improper use of AML/CFT RegTech solutions, including transaction monitoring and customer due diligence tools.

The EBA highlights several recurring issues:

• Outsourcing without adequate oversight – with 55% of competent authorities citing this as a significant or very significant risk.

• Automation without effective monitoring – leading to unchecked false positives or missed suspicious activity.

• Lack of in-house expertise – 36% of competent authorities said firms lack the skills to configure and operate RegTech tools effectively.

• Concentration risk – over-reliance on a small number of off-the-shelf products that are not tailored to specific institutional risk profiles.

FinTech firms are also under scrutiny, with 70% of competent authorities reporting high or increasing ML/TF risks in the sector. Many appear to prioritise rapid growth and customer acquisition over building robust AML/CFT frameworks. Deficiencies in transaction monitoring, inadequate customer due diligence, and exposure to cyber-enabled fraud are common weaknesses. The EBA warns that these vulnerabilities can spill over into the wider financial system when traditional institutions acquire FinTech providers.

Crypto assets service providers (CASPs) remain a high-risk area, particularly during the transition to the new EU Markets in Crypto Assets (MiCA) framework. The EBA reports that some CASPs have tried to bypass licensing and AML/CFT supervision entirely, while others operate with weak governance, poor oversight, and ineffective systems for identifying customer risk.

The regulator urges competent authorities to strengthen supervision, promote best practice in technology adoption, and ensure that innovation does not come at the expense of compliance. The report warns that without more consistent application of risk-based approaches, the gap between regulatory expectations and actual practice will persist, leaving the EU financial system exposed to abuse.

Read the report here.